Forward secrecy in transport layer security (TLS) using ephemeral keys
Abstract
Transport Layer Security (TLS) connection establishment between a client and a server for a new session is enabled using an ephemeral (temporary) key pair. In response to a request, the server generates a temporary certificate by signing an ephemeral public key using the server's private key. A certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate, is output to the client by the server, which acts as a subordinate Certificate Authority. The client validates the certificates, generates a session key and outputs the session key wrapped by the ephemeral public key. To complete the connection establishment, the server applies the ephemeral private key to recover the session key derived at the client for the new session. The client and server thereafter use the session key to encrypt and decrypt data over the link. The ephemeral key pair is not reused.
Claims
exact text as granted — not AI-modifiedHaving described the subject matter, what we claim is as follows:
1. A method of preventing compromise of a set of derived session keys for a Transport Layer Security (TLS)-based link between a client and a server, the server having a public key pair comprising a server public key, and an associated server private key, comprising:
at the client:
issuing to the server a request to establish a new session;
receiving from the server a certificate chain, the certificate chain comprising a server certificate comprising the server public key, together with a temporary certificate that includes an ephemeral public key of a server ephemeral key pair, the server ephemeral key pair having an associated ephemeral private key, the temporary certificate having been generated by the server signing the ephemeral public key with the server private key;
validating at least the temporary certificate;
responsive to validating the temporary certificate, deriving a session key for the new session;
applying the ephemeral public key of the server to the derived session key to generate a message; and
outputting the message to the server, the derived session key being recoverable by the server applying the ephemeral private key of the server to the message to complete establishment of the new session;
wherein compromise of a key associated with establishment of the new session does not compromise one or more other derived session keys of the set.
2. The method as described in claim 1 wherein the public key pair and the ephemeral key pair are Rivest-Shamir-Adelman (RSA) key pairs.
3. The method as described in claim 1 wherein the ephemeral public key of the server is applied to the derived session key in lieu of the server public key.
4. The method as described in claim 1 further including validating the server certificate.
5. The method as described in claim 1 wherein, following establishment of the new session, applying the derived session key to application data.
6. The method as described in claim 1 wherein the ephemeral public key is not re-used following closing of the new session.
7. An apparatus configured as a client, comprising:
a processor;
computer memory holding computer program instructions executed by the processor, the computer program instructions comprising program code configured to prevent compromise of a set of derived session keys for a Transport Layer Security (TLS)-based link between the client and a server, the server having a public key pair comprising a server public key, and an associated server private key, the program code configured to:
issue to the server a request to establish a new session;
receive from the server a certificate chain, the certificate chain comprising a server certificate comprising the server public key, together with a temporary certificate that includes an ephemeral public key of a server ephemeral key pair, the server ephemeral key pair having an associated ephemeral private key, the temporary certificate having been generated by the server signing the ephemeral public key with the server private key;
validate at least the temporary certificate;
responsive to validating the temporary certificate, derive a session key for the new session;
apply the ephemeral public key of the server to the derived session key to generate a message; and
output the message to the server, the derived session key being recoverable by the server applying the ephemeral private key of the server to the message to complete establishment of the new session;
wherein compromise of a key associated with establishment of the new session does not compromise one or more other derived session keys of the set.
8. The apparatus as described in claim 7 wherein the public key pair and the ephemeral key pair are Rivest-Shamir-Adelman (RSA) key pairs.
9. The apparatus as described in claim 7 wherein the ephemeral public key of the server is applied to the derived session key in lieu of the server public key.
10. The apparatus as described in claim 7 wherein the program code is also configured to validate the server certificate.
11. The apparatus as described in claim 7 wherein the program code is further configured following establishment of the new session to apply the derived session key to application data.
12. The apparatus as described in claim 7 wherein the ephemeral public key is not re-used following closing of the new session.
13. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the data processing system to prevent compromise of a set of derived session keys for a Transport Layer Security (TLS)-based link between a client and a server, the server having a public key pair comprising a server public key, and an associated server private key, the computer program instructions comprising program code configured at the client to:
issue to the server a request to establish a new session;
receive from the server a certificate chain, the certificate chain comprising a server certificate comprising the server public key, together with a temporary certificate that includes an ephemeral public key of a server ephemeral key pair, the server ephemeral key pair having an associated ephemeral private key, the temporary certificate having been generated by the server signing the ephemeral public key with the server private key;
validate at least the temporary certificate;
responsive to validating the temporary certificate, derive a session key for the new session;
apply the ephemeral public key of the server to the derived session key to generate a message; and
output the message to the server, the derived session key being recoverable by the server applying the ephemeral private key of the server to the message to complete establishment of the new session;
wherein compromise of a key associated with establishment of the new session does not compromise one or more other derived session keys of the set.
14. The computer program product as described in claim 13 wherein the public key pair and the ephemeral key pair are Rivest-Shamir-Adelman (RSA) key pairs.
15. The computer program product as described in claim 13 wherein the ephemeral public key of the server is applied to the derived session key in lieu of the server public key.
16. The computer program product as described in claim 13 wherein the program code is also configured to validate the server certificate.
17. The computer program product as described in claim 13 wherein the program code is further configured following establishment of the new session to apply the derived session key to application data.
18. The computer program product as described in claim 13 wherein the ephemeral public key is not re-used following closing of the new session.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.